Thank you for taking the time to responsibly disclose security vulnerabilities in Editium.

Preferred ways to report:

• Use GitHub Security Advisories: https://github.com/NabarupDev/Editium/security/advisories
• Or email: [email protected] (please replace with your preferred contact address)

When reporting, please include:

• A clear description of the issue and impact.
• Steps to reproduce (minimal reproduction preferred) and any proof-of-concept code.
• The version(s) of Editium (or the package) affected.
• Any mitigations or suggested fixes if you have them.

Do NOT include sensitive information in public issue trackers. If you must share secrets, coordinate via an encrypted channel and request a secure email address.

1. Acknowledgement: We will acknowledge receipt within 72 hours.
2. Triage: We'll assess severity and scope, and may ask for additional information.
3. Fix & Coordination: We will work on a fix and coordinate disclosure with the reporter. We try to provide a timeline for resolution, but the timeline depends on severity and available maintainers.
4. Public Disclosure: We prefer coordinated disclosure. If you request a CVE, we will follow the standard request process.

We use common-sense severity levels:

• Critical: Remote code execution or data exfiltration with wide impact.
• High: Privilege escalation, major data loss, or denial of service impacting many users.
• Medium: Problems causing incorrect behavior with limited scope.
• Low: Minor issues, UI issues, or edge-case bugs.

• Issues in third-party software should be reported to that project first, unless they only arise because of our code.
• Social engineering, physical attacks, and spam are out-of-scope.

We ask reporters to give us reasonable time to respond and ship a fix before public disclosure. We will work with reporters who wish to publicly disclose after a fix is released.

Thank you for helping to keep Editium safe. We appreciate coordinated, responsible disclosure.